Add 'token' voter type for simplified CSV uploads

claude · claude · commit 58f8b7d4e358 · 2026-01-18T15:39:55.000Z
Implement new CSV format for token-based elections:
  token,&lt;email&gt;,&lt;full name&gt;

Key features:
- Auto-enables use_token_auth when token voters are uploaded
- Prevents mixing token and password voters (in same CSV or election)
- Simplified format with only email and name (no unique_id needed)
- voter_login_id is set to email for token voters

Changes:
- VoterFile.itervoters(): Parse "token" rows with format validation
- VoterFile.process(): Add mixing checks and auto-enable logic
- voters_upload.html: Show both token and password formats
- Add comprehensive tests for upload scenarios and validation

Backward compatible: existing "password" CSV format still works.
diff --git a/helios/models.py b/helios/models.py
@@ -785,6 +785,32 @@ def itervoters(self):
         continue
 
       voter_type = voter_fields[0].strip()
+
+      # Special handling for "token" voter type
+      if voter_type == "token":
+        # Format: token,<email>,<full name>
+        if len(voter_fields) < 3:
+          raise Exception("token voter format requires: token,<email>,<full name>")
+
+        voter_email = voter_fields[1].strip()
+        voter_name = voter_fields[2].strip()
+
+        # Validate email
+        if not validate_email(voter_email):
+          raise Exception("invalid email '%s' for token voter" % voter_email)
+
+        # Use email as voter_id for token voters
+        voter_id = voter_email
+
+        yield {
+          'voter_type': voter_type,
+          'voter_id': voter_id,
+          'email': voter_email,
+          'name': voter_name,
+        }
+        continue
+
+      # Standard handling for other voter types
       voter_id = voter_fields[1].strip()
 
       if not voter_type in AUTH_SYSTEMS:
@@ -819,6 +845,31 @@ def process(self):
     self.num_voters = len(voters)
     random.shuffle(voters)
 
+    # Check for mixing of token and password voters
+    has_token_voters = any(v['voter_type'] == 'token' for v in voters)
+    has_password_voters = any(v['voter_type'] == 'password' for v in voters)
+
+    # Cannot mix token and password voters in the same upload
+    if has_token_voters and has_password_voters:
+      raise Exception("Cannot mix 'token' and 'password' voter types in the same upload. Please use only one authentication method per election.")
+
+    # Check existing voters in the election
+    existing_password_voters = self.election.voter_set.filter(voter_password__isnull=False).exists()
+    existing_token_voters = self.election.voter_set.filter(voting_token__isnull=False).exists()
+
+    # Cannot upload token voters if election already has password voters
+    if has_token_voters and existing_password_voters:
+      raise Exception("Cannot upload token voters to an election that already has password voters. Election must use a single authentication method.")
+
+    # Cannot upload password voters if election already has token voters
+    if has_password_voters and existing_token_voters:
+      raise Exception("Cannot upload password voters to an election that already has token voters. Election must use a single authentication method.")
+
+    # Auto-enable token auth if all voters are token type
+    if has_token_voters and not self.election.use_token_auth:
+      self.election.use_token_auth = True
+      self.election.save()
+
     opted_out_voters = []
     successful_voters = 0
 
@@ -834,7 +885,29 @@ def process(self):
           })
           continue
 
-      if voter['voter_type'] == 'password':
+      if voter['voter_type'] == 'token':
+          # Token voter type - always generates voting tokens
+          # does voter for this user already exist
+          existing_voter = Voter.get_by_election_and_voter_id(self.election, voter['voter_id'])
+          if existing_voter:
+              continue
+          # create the voter
+          voter_uuid = str(uuid.uuid4())
+          new_voter = Voter(uuid=voter_uuid, user = None, voter_login_id = voter['voter_id'],
+              voter_name = voter['name'], voter_email = voter['email'], election = self.election)
+          new_voter.generate_voting_token()
+          election=self.election
+          if election.use_voter_aliases:
+              # Use transaction to ensure alias assignment is atomic
+              with transaction.atomic():
+                  utils.lock_row(Election, election.id)
+                  alias_num = election.last_alias_num + 1
+                  new_voter.alias = "V%s" % alias_num
+                  new_voter.save()
+          else:
+              new_voter.save()
+          successful_voters += 1
+      elif voter['voter_type'] == 'password':
           # does voter for this user already exist
           existing_voter = Voter.get_by_election_and_voter_id(self.election, voter['voter_id'])
           if existing_voter:
diff --git a/helios/templates/voters_upload.html b/helios/templates/voters_upload.html
@@ -8,26 +8,48 @@ <h2 class="title">{{election.name}} &mdash; Bulk Upload Voters <span style="font
     If you would like to specify your list of voters by name and email address,<br />
     you can bulk upload a list of such voters here.<br /><br />
 
-    Please prepare a text file of comma-separated values with the fields:
+    Please prepare a text file of comma-separated values with one of the following formats:
 </p>
+
+<p><strong>For token-based authentication:</strong></p>
 <pre>
-   password,&lt;unique_id&gt;,&lt;email&gt,&lt;full name&gt;
+   token,&lt;email&gt;,&lt;full name&gt;
 </pre>
-<p>
-or
-</p>
+
+<p><strong>For password-based authentication:</strong></p>
+<pre>
+   password,&lt;unique_id&gt;,&lt;email&gt;,&lt;full name&gt;
+</pre>
+
+<p><strong>For other authentication systems (GitHub, Google, etc.):</strong></p>
 <pre>
    github,&lt;username&gt;
 </pre>
 
 <p>
-For example:
+<strong>Examples:</strong>
   </p>
   <pre>
-      password,bobsmith,bob@acme.org,Bob Smith
+      token,alice@example.com,Alice Smith
+      token,bob@example.com,Bob Jones
+      ...
+  </pre>
+  <p>or</p>
+  <pre>
+      password,alice123,alice@example.com,Alice Smith
+      password,bob456,bob@example.com,Bob Jones
+      ...
+  </pre>
+  <p>or</p>
+  <pre>
       github,benadida
       ...
-  </pre> 
+  </pre>
+
+<p>
+<strong>Important:</strong> You cannot mix different authentication methods in the same election.
+All voters must use either token-based or password-based authentication, not both.
+</p> 
 
   <p>
     The easiest way to prepare such a file is to use a spreadsheet program and to export as "CSV".
diff --git a/helios/tests.py b/helios/tests.py
@@ -542,6 +542,149 @@ def test_token_authentication_functional(self):
         self.assertEqual(election.voter_set.get(voting_token=voter.voting_token).id, voter.id)
         self.assertEqual(election.voter_set.get(voting_token=voter2.voting_token).id, voter2.id)
 
+    def test_upload_token_voters(self):
+        """Test uploading token voters via CSV"""
+        from unittest.mock import patch
+
+        # Create a new election
+        election = models.Election.objects.create(
+            admin=auth_models.User.objects.get(user_id='ben@adida.net', user_type='google'),
+            uuid=str(uuid.uuid4()),
+            short_name='token-upload-test',
+            name='Token Upload Test Election',
+            election_type='election',
+            use_token_auth=False,  # Start as False, should auto-enable
+            cast_url='http://localhost:8000/helios'
+        )
+
+        # Upload token voters via VoterFile
+        csv_content = "token,alice@acme.com,Alice Smith\ntoken,bob@acme.com,Bob Jones"
+        voter_file = models.VoterFile(election=election, voter_file_content=csv_content)
+        voter_file.save()
+
+        # Mock validate_email to avoid DNS issues
+        with patch('helios.models.validate_email', return_value=True):
+            voter_file.process()
+
+        # Verify use_token_auth was auto-enabled
+        election.refresh_from_db()
+        self.assertTrue(election.use_token_auth)
+
+        # Verify voters were created with tokens
+        voters = election.voter_set.all()
+        self.assertEqual(voters.count(), 2)
+
+        alice = election.voter_set.get(voter_email='alice@acme.com')
+        self.assertEqual(alice.voter_login_id, 'alice@acme.com')
+        self.assertEqual(alice.voter_name, 'Alice Smith')
+        self.assertIsNotNone(alice.voting_token)
+        self.assertEqual(len(alice.voting_token), 20)
+
+        bob = election.voter_set.get(voter_email='bob@acme.com')
+        self.assertEqual(bob.voter_login_id, 'bob@acme.com')
+        self.assertEqual(bob.voter_name, 'Bob Jones')
+        self.assertIsNotNone(bob.voting_token)
+
+    def test_upload_mixed_voters_in_same_csv(self):
+        """Test that mixing token and password voters in same CSV fails"""
+        from unittest.mock import patch
+
+        election = models.Election.objects.create(
+            admin=auth_models.User.objects.get(user_id='ben@adida.net', user_type='google'),
+            uuid=str(uuid.uuid4()),
+            short_name='mixed-test',
+            name='Mixed Test Election',
+            election_type='election',
+            cast_url='http://localhost:8000/helios'
+        )
+
+        # CSV with both token and password voters
+        csv_content = "token,alice@acme.com,Alice Smith\npassword,bob123,bob@acme.com,Bob Jones"
+        voter_file = models.VoterFile(election=election, voter_file_content=csv_content)
+        voter_file.save()
+
+        # Should raise exception about mixing
+        with patch('helios.models.validate_email', return_value=True):
+            with self.assertRaises(Exception) as context:
+                voter_file.process()
+            self.assertIn("Cannot mix", str(context.exception))
+
+    def test_upload_token_voters_after_password_voters(self):
+        """Test that uploading token voters to election with password voters fails"""
+        from unittest.mock import patch
+
+        election = models.Election.objects.create(
+            admin=auth_models.User.objects.get(user_id='ben@adida.net', user_type='google'),
+            uuid=str(uuid.uuid4()),
+            short_name='password-first-test',
+            name='Password First Test Election',
+            election_type='election',
+            use_token_auth=False,
+            cast_url='http://localhost:8000/helios'
+        )
+
+        # First upload password voters
+        csv_content1 = "password,alice123,alice@acme.com,Alice Smith"
+        voter_file1 = models.VoterFile(election=election, voter_file_content=csv_content1)
+        voter_file1.save()
+
+        with patch('helios.models.validate_email', return_value=True):
+            voter_file1.process()
+
+        # Verify password voter was created
+        self.assertEqual(election.voter_set.count(), 1)
+        alice = election.voter_set.first()
+        self.assertIsNotNone(alice.voter_password)
+
+        # Now try to upload token voters - should fail
+        csv_content2 = "token,bob@acme.com,Bob Jones"
+        voter_file2 = models.VoterFile(election=election, voter_file_content=csv_content2)
+        voter_file2.save()
+
+        with patch('helios.models.validate_email', return_value=True):
+            with self.assertRaises(Exception) as context:
+                voter_file2.process()
+            self.assertIn("already has password voters", str(context.exception))
+
+    def test_upload_password_voters_after_token_voters(self):
+        """Test that uploading password voters to election with token voters fails"""
+        from unittest.mock import patch
+
+        election = models.Election.objects.create(
+            admin=auth_models.User.objects.get(user_id='ben@adida.net', user_type='google'),
+            uuid=str(uuid.uuid4()),
+            short_name='token-first-test',
+            name='Token First Test Election',
+            election_type='election',
+            use_token_auth=False,
+            cast_url='http://localhost:8000/helios'
+        )
+
+        # First upload token voters
+        csv_content1 = "token,alice@acme.com,Alice Smith"
+        voter_file1 = models.VoterFile(election=election, voter_file_content=csv_content1)
+        voter_file1.save()
+
+        with patch('helios.models.validate_email', return_value=True):
+            voter_file1.process()
+
+        # Verify token voter was created and use_token_auth was enabled
+        election.refresh_from_db()
+        self.assertTrue(election.use_token_auth)
+        self.assertEqual(election.voter_set.count(), 1)
+        alice = election.voter_set.first()
+        self.assertIsNotNone(alice.voting_token)
+
+        # Now try to upload password voters - should fail
+        csv_content2 = "password,bob123,bob@acme.com,Bob Jones"
+        voter_file2 = models.VoterFile(election=election, voter_file_content=csv_content2)
+        voter_file2.save()
+
+        with patch('helios.models.validate_email', return_value=True):
+            with self.assertRaises(Exception) as context:
+                voter_file2.process()
+            self.assertIn("already has token voters", str(context.exception))
+
 
 class CastVoteModelTests(TestCase):
     fixtures = ['users.json', 'election.json']
